post
/incident/batch
Update a batch of incidents. To update incident custom fields you should lowercase them and remove all spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
Body parameters
REQUEST BODY
{
"all": true,
"filter": {
"parent": [
"parent",
"parent"
],
"reason": [
"reason",
"reason"
],
"notInvestigation": [
"notInvestigation",
"notInvestigation"
],
"totalOnly": true,
"type": [
"type",
"type"
],
"fromActivatedDate": "2000-01-23T04:56:07.000+00:00",
"notCategory": [
"notCategory",
"notCategory"
],
"fromDateLicense": "2000-01-23T04:56:07.000+00:00",
"andOp": true,
"searchAfterElastic": [
"searchAfterElastic",
"searchAfterElastic"
],
"searchBefore": [
"searchBefore",
"searchBefore"
],
"details": "details",
"id": [
"id",
"id"
],
"toActivatedDate": "2000-01-23T04:56:07.000+00:00",
"period": {
"fromValue": "fromValue",
"toValue": "toValue",
"byFrom": "byFrom",
"field": "field",
"by": "by",
"byTo": "byTo"
},
"searchAfterMapOrder": {
"key": 6
},
"level": [
4,
4
],
"query": "query",
"notStatus": [
2,
2
],
"sort": [
{
"asc": true,
"field": "field",
"fieldType": "fieldType"
},
{
"asc": true,
"field": "field",
"fieldType": "fieldType"
}
],
"users": [
"users",
"users"
],
"fromDate": "2000-01-23T04:56:07.000+00:00",
"size": 1,
"fromReminder": "2000-01-23T04:56:07.000+00:00",
"name": [
"name",
"name"
],
"files": [
"files",
"files"
],
"searchAfter": [
"searchAfter",
"searchAfter"
],
"fromClosedDate": "2000-01-23T04:56:07.000+00:00",
"page": 0,
"fields": [
"fields",
"fields"
],
"Cache": {
"key": [
"Cache",
"Cache"
]
},
"status": [
2,
2
],
"ignoreWorkers": true,
"filterobjectquery": "filterobjectquery",
"urls": [
"urls",
"urls"
],
"systems": [
"systems",
"systems"
],
"includeTmp": true,
"toClosedDate": "2000-01-23T04:56:07.000+00:00",
"searchAfterMap": {
"key": [
"searchAfterMap",
"searchAfterMap"
]
},
"toDueDate": "2000-01-23T04:56:07.000+00:00",
"fromDueDate": "2000-01-23T04:56:07.000+00:00",
"searchBeforeElastic": [
"searchBeforeElastic",
"searchBeforeElastic"
],
"toDate": "2000-01-23T04:56:07.000+00:00",
"trim_events": 5,
"toReminder": "2000-01-23T04:56:07.000+00:00",
"timeFrame": 5,
"investigation": [
"investigation",
"investigation"
],
"accounts": {
"key": "{}"
},
"category": [
"category",
"category"
]
},
"CustomFields": {
"key": "{}"
},
"overrideInvestigation": true,
"closeNotes": "closeNotes",
"data": {
"key": "{}"
},
"columns": [
"columns",
"columns"
],
"line": "line",
"ids": [
"ids",
"ids"
],
"force": true,
"originalIncidentId": "originalIncidentId",
"closeReason": "closeReason"
}
<UpdateDataBatch>
<CustomFields>UNDEFINED_EXAMPLE_VALUE</CustomFields>
<all>true</all>
<closeNotes>aeiou</closeNotes>
<closeReason>aeiou</closeReason>
<columns>aeiou</columns>
<data>UNDEFINED_EXAMPLE_VALUE</data>
<null>
<Cache>UNDEFINED_EXAMPLE_VALUE</Cache>
<accounts>UNDEFINED_EXAMPLE_VALUE</accounts>
<andOp>true</andOp>
<category>aeiou</category>
<details>aeiou</details>
<fields>aeiou</fields>
<files>aeiou</files>
<filterobjectquery>aeiou</filterobjectquery>
<fromActivatedDate>2000-01-23T04:56:07.000Z</fromActivatedDate>
<fromClosedDate>2000-01-23T04:56:07.000Z</fromClosedDate>
<fromDate>2000-01-23T04:56:07.000Z</fromDate>
<fromDateLicense>2000-01-23T04:56:07.000Z</fromDateLicense>
<fromDueDate>2000-01-23T04:56:07.000Z</fromDueDate>
<fromReminder>2000-01-23T04:56:07.000Z</fromReminder>
<id>aeiou</id>
<ignoreWorkers>true</ignoreWorkers>
<includeTmp>true</includeTmp>
<investigation>aeiou</investigation>
<name>aeiou</name>
<notCategory>aeiou</notCategory>
<notInvestigation>aeiou</notInvestigation>
<page>123456789</page>
<parent>aeiou</parent>
<query>aeiou</query>
<reason>aeiou</reason>
<searchAfter>aeiou</searchAfter>
<searchAfterElastic>aeiou</searchAfterElastic>
<searchAfterMap>UNDEFINED_EXAMPLE_VALUE</searchAfterMap>
<searchAfterMapOrder>UNDEFINED_EXAMPLE_VALUE</searchAfterMapOrder>
<searchBefore>aeiou</searchBefore>
<searchBeforeElastic>aeiou</searchBeforeElastic>
<size>123456789</size>
<systems>aeiou</systems>
<timeFrame>123456789</timeFrame>
<toActivatedDate>2000-01-23T04:56:07.000Z</toActivatedDate>
<toClosedDate>2000-01-23T04:56:07.000Z</toClosedDate>
<toDate>2000-01-23T04:56:07.000Z</toDate>
<toDueDate>2000-01-23T04:56:07.000Z</toDueDate>
<toReminder>2000-01-23T04:56:07.000Z</toReminder>
<totalOnly>true</totalOnly>
<trim_events>123456789</trim_events>
<type>aeiou</type>
<urls>aeiou</urls>
<users>aeiou</users>
</null>
<force>true</force>
<ids>aeiou</ids>
<line>aeiou</line>
<originalIncidentId>aeiou</originalIncidentId>
<overrideInvestigation>true</overrideInvestigation>
</UpdateDataBatch>
CURL
curl -X 'POST'
-H "Authorization: [[apiKey]]"
\
-H
'Accept: application/json'
-H
'Content-Type: application/json,application/xml'
'https://hostname:443/incident/batch'
-d
'{
"all" : true,
"filter" : {
"parent" : [ "parent", "parent" ],
"reason" : [ "reason", "reason" ],
"notInvestigation" : [ "notInvestigation", "notInvestigation" ],
"totalOnly" : true,
"type" : [ "type", "type" ],
"fromActivatedDate" : "2000-01-23T04:56:07.000+00:00",
"notCategory" : [ "notCategory", "notCategory" ],
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00",
"andOp" : true,
"searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ],
"searchBefore" : [ "searchBefore", "searchBefore" ],
"details" : "details",
"id" : [ "id", "id" ],
"toActivatedDate" : "2000-01-23T04:56:07.000+00:00",
"period" : {
"fromValue" : "fromValue",
"toValue" : "toValue",
"byFrom" : "byFrom",
"field" : "field",
"by" : "by",
"byTo" : "byTo"
},
"searchAfterMapOrder" : {
"key" : 6
},
"level" : [ 4, 4 ],
"query" : "query",
"notStatus" : [ 2, 2 ],
"sort" : [ {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
}, {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
} ],
"users" : [ "users", "users" ],
"fromDate" : "2000-01-23T04:56:07.000+00:00",
"size" : 1,
"fromReminder" : "2000-01-23T04:56:07.000+00:00",
"name" : [ "name", "name" ],
"files" : [ "files", "files" ],
"searchAfter" : [ "searchAfter", "searchAfter" ],
"fromClosedDate" : "2000-01-23T04:56:07.000+00:00",
"page" : 0,
"fields" : [ "fields", "fields" ],
"Cache" : {
"key" : [ "Cache", "Cache" ]
},
"status" : [ 2, 2 ],
"ignoreWorkers" : true,
"filterobjectquery" : "filterobjectquery",
"urls" : [ "urls", "urls" ],
"systems" : [ "systems", "systems" ],
"includeTmp" : true,
"toClosedDate" : "2000-01-23T04:56:07.000+00:00",
"searchAfterMap" : {
"key" : [ "searchAfterMap", "searchAfterMap" ]
},
"toDueDate" : "2000-01-23T04:56:07.000+00:00",
"fromDueDate" : "2000-01-23T04:56:07.000+00:00",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00",
"trim_events" : 5,
"toReminder" : "2000-01-23T04:56:07.000+00:00",
"timeFrame" : 5,
"investigation" : [ "investigation", "investigation" ],
"accounts" : {
"key" : "{}"
},
"category" : [ "category", "category" ]
},
"CustomFields" : {
"key" : "{}"
},
"overrideInvestigation" : true,
"closeNotes" : "closeNotes",
"data" : {
"key" : "{}"
},
"columns" : [ "columns", "columns" ],
"line" : "line",
"ids" : [ "ids", "ids" ],
"force" : true,
"originalIncidentId" : "originalIncidentId",
"closeReason" : "closeReason"
}'
-d
'<UpdateDataBatch>
<CustomFields>UNDEFINED_EXAMPLE_VALUE</CustomFields>
<all>true</all>
<closeNotes>aeiou</closeNotes>
<closeReason>aeiou</closeReason>
<columns>aeiou</columns>
<data>UNDEFINED_EXAMPLE_VALUE</data>
<null>
<Cache>UNDEFINED_EXAMPLE_VALUE</Cache>
<accounts>UNDEFINED_EXAMPLE_VALUE</accounts>
<andOp>true</andOp>
<category>aeiou</category>
<details>aeiou</details>
<fields>aeiou</fields>
<files>aeiou</files>
<filterobjectquery>aeiou</filterobjectquery>
<fromActivatedDate>2000-01-23T04:56:07.000Z</fromActivatedDate>
<fromClosedDate>2000-01-23T04:56:07.000Z</fromClosedDate>
<fromDate>2000-01-23T04:56:07.000Z</fromDate>
<fromDateLicense>2000-01-23T04:56:07.000Z</fromDateLicense>
<fromDueDate>2000-01-23T04:56:07.000Z</fromDueDate>
<fromReminder>2000-01-23T04:56:07.000Z</fromReminder>
<id>aeiou</id>
<ignoreWorkers>true</ignoreWorkers>
<includeTmp>true</includeTmp>
<investigation>aeiou</investigation>
<name>aeiou</name>
<notCategory>aeiou</notCategory>
<notInvestigation>aeiou</notInvestigation>
<page>123456789</page>
<parent>aeiou</parent>
<query>aeiou</query>
<reason>aeiou</reason>
<searchAfter>aeiou</searchAfter>
<searchAfterElastic>aeiou</searchAfterElastic>
<searchAfterMap>UNDEFINED_EXAMPLE_VALUE</searchAfterMap>
<searchAfterMapOrder>UNDEFINED_EXAMPLE_VALUE</searchAfterMapOrder>
<searchBefore>aeiou</searchBefore>
<searchBeforeElastic>aeiou</searchBeforeElastic>
<size>123456789</size>
<systems>aeiou</systems>
<timeFrame>123456789</timeFrame>
<toActivatedDate>2000-01-23T04:56:07.000Z</toActivatedDate>
<toClosedDate>2000-01-23T04:56:07.000Z</toClosedDate>
<toDate>2000-01-23T04:56:07.000Z</toDate>
<toDueDate>2000-01-23T04:56:07.000Z</toDueDate>
<toReminder>2000-01-23T04:56:07.000Z</toReminder>
<totalOnly>true</totalOnly>
<trim_events>123456789</trim_events>
<type>aeiou</type>
<urls>aeiou</urls>
<users>aeiou</users>
</null>
<force>true</force>
<ids>aeiou</ids>
<line>aeiou</line>
<originalIncidentId>aeiou</originalIncidentId>
<overrideInvestigation>true</overrideInvestigation>
</UpdateDataBatch>'
Responses
Body
RESPONSE
{
"accountErrors": [
"accountErrors_example"
],
"data": [
{
"ShardID": 0,
"account": "account_example",
"activated": "activated_example",
"activatingingUserId": "activatingingUserId_example",
"allRead": false,
"allReadWrite": false,
"attachment": [
{
"description": "description_example",
"isTempPath": false,
"name": "name_example",
"path": "path_example",
"showMediaFile": false,
"type": "type_example"
}
],
"autime": 0,
"cacheVersn": 0,
"canvases": [
"canvases_example"
],
"category": "category_example",
"changeStatus": "changeStatus_example",
"closeNotes": "closeNotes_example",
"closeReason": "closeReason_example",
"closed": "closed_example",
"closingUserId": "closingUserId_example",
"created": "created_example",
"dbotCreatedBy": "dbotCreatedBy_example",
"dbotCurrentDirtyFields": [
"dbotCurrentDirtyFields_example"
],
"dbotDirtyFields": [
"dbotDirtyFields_example"
],
"dbotMirrorDirection": "dbotMirrorDirection_example",
"dbotMirrorId": "dbotMirrorId_example",
"dbotMirrorInstance": "dbotMirrorInstance_example",
"dbotMirrorLastSync": "dbotMirrorLastSync_example",
"dbotMirrorTags": [
"dbotMirrorTags_example"
],
"details": "details_example",
"droppedCount": 0,
"dueDate": "dueDate_example",
"feedBased": false,
"hasRole": false,
"highlight": {
"additionalProperties": [
"additionalProperties_example"
]
},
"id": "id_example",
"indexName": "indexName_example",
"insights": 0,
"investigationId": "investigationId_example",
"isDebug": false,
"isPlayground": false,
"labels": [
{
"type": "type_example",
"value": "value_example"
}
],
"lastJobRunTime": "lastJobRunTime_example",
"lastOpen": "lastOpen_example",
"linkedCount": 0,
"linkedIncidents": [
"linkedIncidents_example"
],
"modified": "modified_example",
"name": "name_example",
"notifyTime": "notifyTime_example",
"numericId": 0,
"occurred": "occurred_example",
"openDuration": 0,
"owner": "owner_example",
"parent": "parent_example",
"phase": "phase_example",
"playbookId": "playbookId_example",
"previousAllRead": false,
"previousAllReadWrite": false,
"previousRoles": [
"previousRoles_example"
],
"primaryTerm": 0,
"rawCategory": "rawCategory_example",
"rawCloseReason": "rawCloseReason_example",
"rawJSON": "rawJSON_example",
"rawName": "rawName_example",
"rawPhase": "rawPhase_example",
"rawType": "rawType_example",
"reason": "reason_example",
"reminder": "reminder_example",
"roles": [
"roles_example"
],
"runStatus": "runStatus_example",
"sequenceNumber": 0,
"severity": 4,
"sizeInBytes": 0,
"sla": 0.0,
"sortValues": [
"sortValues_example"
],
"sourceBrand": "sourceBrand_example",
"sourceInstance": "sourceInstance_example",
"status": 2,
"syncHash": "syncHash_example",
"todoTaskIds": [
"todoTaskIds_example"
],
"type": "type_example",
"version": 0,
"xsoarHasReadOnlyRole": false,
"xsoarPreviousReadOnlyRoles": [
"xsoarPreviousReadOnlyRoles_example"
],
"xsoarReadOnlyRoles": [
"xsoarReadOnlyRoles_example"
]
}
],
"notUpdated": 0,
"searchAfter": [
"searchAfter_example"
],
"searchAfterElastic": [
"searchAfterElastic_example"
],
"searchBefore": [
"searchBefore_example"
],
"searchBeforeElastic": [
"searchBeforeElastic_example"
],
"total": 0,
"totalAccounts": 0
}